Understanding Cyber Liability Insurance Coverage
By now, you’ve heard the reports and fallout from the recent breach of millions of consumer records from a medical billing agency. Suddenly, those seemingly distant stories of hackers and cyber-crime have hit much closer to home in the ARM industry. Whether the incident is a record breach or a denial of service attack that shuts down your servers, a cyber insurance policy can help you respond faster and more efficiently to a crisis.
Cyber liability coverage is a vital but constantly evolving and often confusing form of insurance. With the increased frequency of hacks and breaches worldwide, collection firms are potentially attractive targets due to the large amount of stored consumer data with personally identifiable (PII) and protected health information (PHI). Cyber insurance has become a standard requirement for many collection contracts and association membership certifications.
It is important to have a basic understanding of the components of cyber liability insurance to make sure you have the protection you need. The results of a network security incident or breach can range from an inconvenient stoppage of daily operations, to a financially devastating breach with costs for notification requirements, lawsuits, investigations, credit monitoring and more.
A cyber claim, regardless of the incident, can involve two types of costs: first-party and third-party expenses. First-party costs include any expenses of the company directly related to the breach including state regulated notification costs, reputation management, legal and network investigation costs, and the loss of income during a breach. Third-party costs cover expenses incurred from outside the company and may include legal defense, settlements, and regulatory fines and penalties.
Every insurer’s cyber liability policy form is different, but there are several key coverage categories to look for in addition to the basic privacy liability defense costs.
Consumer Notification Costs:
Breach notification cost, sometimes referred to as event management expense, is the limit of insurance designated to notify consumers in the event of a breach. Each state has passed legislation requiring private entities to notify consumers of security breaches when their personally identifiable information is compromised. State laws typically define compliance expectations and what is considered a breach. Often, written and mailed notification is required, which can become very costly in large numbers.
Cyber extortion is the act of demanding payment by threat of data compromise, system lockdown, or other threats requiring a ransom. Extortion coverage is the specific limit designed to pay demands and ransom. It may include forensic investigation costs and fees for consultants to help you guard against future incidents.
Business interruption limits cover the loss of income and operations expenses when interrupted or suspended due to a breach of network security. For example, if a hacker holds your system for ransom and you can’t conduct business, or your system is shut down while trying to repair damage, the business interruption limit would cover the lost income. General liability packages often include coverage for business interruption costs, but most of these exclude business interruption claims arising from a network security event. That makes this a critical coverage to have on your cyber policy.
Regulatory/PCI fines coverage:
Specific limits can help cover the costs of dealing with state and federal regulatory agencies which oversee data breach laws and regulations. Costs can include defense, penalties, and fines due to regulatory and PCI compliance violations.
Cyber crime coverage includes limits to indemnify funds lost through email phishing, telephone fraud, fraudulent instructions, or anything dealing with the voluntary transfer of funds due to a scam. Some policies will exclude or sublimit cyber crimes which may help with premium costs. Generally, this coverage is not included on a standard crime/theft policy.
Many errors & omissions and general liability policies can endorse a limited amount of network security liability to defend lawsuits, but these endorsements are frequently inadequate for notification expense and other important components.
Cyber insurance premiums are primarily rated on company revenues, number of stored consumer records, and loss history. There are, however, other factors that can influence the quote options in positive ways including network access and security protocols, monitoring systems, and data storage.
It is important when filling out applications to include as many security and procedural details to help in the underwriting process. As underwriters evaluate the risk, operational details can help them provide a more accurate and informed quote option.
If you have questions about your current cyber policy or are interested in obtaining a quote, please contact us.